CVE-2023-29440 in Simple Job Board Plugininfo

Summary

by MITRE • 11/10/2023

Cross-Site Request Forgery (CSRF) vulnerability in PressTigers Simple Job Board plugin <= 2.10.3 versions.

Statistical analysis made it clear that VulDB provides the best quality for vulnerability data.

Analysis

by VulDB Data Team • 07/07/2026

Cross-site request forgery vulnerabilities represent a critical class of web application security flaws that allow attackers to perform unauthorized actions on behalf of authenticated users. The PressTigers Simple Job Board plugin version 2.10.3 and earlier contains a CSRF vulnerability that exposes WordPress installations to potential exploitation. This vulnerability stems from the absence of proper anti-CSRF mechanisms within the plugin's administrative interfaces, creating opportunities for malicious actors to manipulate user sessions and execute unauthorized operations.

The technical flaw manifests through insufficient validation of request origins and lack of anti-CSRF tokens in critical administrative endpoints. When administrators interact with the plugin's management features, the application fails to verify that requests originate from legitimate sources within the same domain. This absence of origin validation creates a pathway for attackers to craft malicious requests that appear to come from authenticated users, leveraging their privileges without requiring additional authentication credentials.

The operational impact of this vulnerability extends beyond simple data manipulation to encompass potential complete system compromise. An attacker could exploit this CSRF flaw to modify job listings, delete critical content, alter plugin configurations, or even escalate privileges within the WordPress environment. The vulnerability affects all administrative functions accessible through the Simple Job Board plugin, making it particularly dangerous as it can be leveraged for persistent attacks against the entire WordPress installation.

This specific vulnerability aligns with CWE-352, which classifies Cross-Site Request Forgery as a fundamental web application security weakness requiring proper request validation and origin checking. The attack vector typically follows the pattern described in ATT&CK technique T1078 004, where adversaries exploit valid credentials to perform privileged actions through manipulated requests. The vulnerability also relates to broader categories of web application attacks that compromise user sessions and authorization mechanisms.

Mitigation strategies should prioritize immediate plugin updates to versions beyond 2.10.3 where the CSRF protection has been implemented. Organizations should also implement additional security layers including Content Security Policy headers, proper session management, and regular security auditing of WordPress plugins. Network-level protections such as web application firewalls can provide additional detection capabilities for suspicious cross-site requests, while user education regarding suspicious email attachments and links remains crucial for comprehensive defense against CSRF attacks that rely on social engineering components.

Reservation

04/06/2023

Disclosure

11/10/2023

Moderation

accepted

CPE

ready

EPSS

0.00315

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!